1. Technical Field
The present invention relates generally to a security control apparatus and method for a cloud-based virtual desktop and, more particularly, to an apparatus and method that control data to be transmitted in order to minimize the unauthorized leakage of internal data of a cloud and the flow of a malicious file into the cloud, which may occur upon remotely accessing and using a cloud-based virtual desktop environment from a remote location.
2. Description of the Related Art
A cloud-based virtual desktop environment enables a remote user to access and use a virtual desktop computer in a cloud via the Internet. For this, cloud solutions provide virtual desktop interaction protocols such as a PC-over-Internet Protocol (PCoIP) and an Independent Computer Architecture (ICA) protocol, and support data transmission such as that for a file, a printer, or a clipboard, as well as for a screen, a keyboard, or a mouse.
Such a cloud interaction protocol provides a convenient cloud usage environment to a user while also imparting the risk of security threats, such as attacks from the outside of a cloud and the leakage of data to the outside of the cloud. For example, when a remote user transmits internal data from any location to the outside, the risk of leakage of internal data to the outside may occur. Further, when a file with malicious code attached thereto is transferred into the cloud by a user, a serious security threat may be brought into the internal system.
In particular, such a remote interaction protocol provides an encrypted channel. In this case, there is the risk of security threats incurred by bypassing all security equipment located in an area ranging from an external network to an internal cloud-based virtual desktop.
A conventional method of coping with a security threat against the leakage of internal data is a method of prohibiting external equipment such as a Universal Serial Bus (USB) device, from accessing the cloud via the configuration of a virtual desktop. Such a method is advantageous in that the transmission of data between the inside and outside of the cloud is fundamentally disabled, but it is disadvantageous in that users must undergo a lot of inconvenience when using the cloud.
Further, a conventional method of coping with the inflow of malicious code includes a method of installing an antivirus program in a virtual desktop and preventing malicious code from flowing into the cloud. Such a method is advantageous in that the inflow of well-known malicious code may be blocked, but it is disadvantageous in that it is impossible to cope with unknown malicious code, and there is no method of coping with even a case where malicious code incapacitates the antivirus program.
As related preceding technology, Korean Patent Application Publication No. 10-2012-0062969 discloses technology for maintaining the security of user data even in a computing environment in which security is not guaranteed in a host Operating System (OS) such as that of a public computer when it is desired to use a virtualization technology-based desktop environment by means of a hypervisor.
As another related preceding technology, technology for providing a secure virtual desktop environment via separation from a remote operating system in the operation of a virtual desktop is disclosed in the paper (“Cloud Terminal: Secure Access to Sensitive Applications from Untrusted Systems,” The USENIX Annual Tech. Conf., 2012, L. Martignoni, P. Poosankam, M. Zaharia, J. Han, S. McCamant, D. Song).